[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)

To: "Tay, Gary" <Gary_Tay@platts.com>
Subject: RE: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)
From: Greg Matthews <gmatt@nerc.ac.uk>
Date: Thu, 16 Sep 2004 11:00:23 +0100
Cc: openldap <openldap-software@OpenLDAP.org>
In-reply-to: <A04B6AE6ED3BD742B64D5B17093F64E2912EC9@IMSSGPX01.ims.mhm.mhc>
Organization: iTSS
References: <A04B6AE6ED3BD742B64D5B17093F64E2912EC9@IMSSGPX01.ims.mhm.mhc>

On Thu, 2004-09-16 at 10:05, Tay, Gary wrote:
> Very sorry in my last mail I had mistaken and confused CA Cert and
> Server Cert, in my case the file cacert.pem at ALL LDAP Clinets contain
> TWO CA Certs (demoCA) I created using guidance from
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html, one created
> at the MASTER LDAP, the other at the SLAVE.
> 
> I put TWO CA Certs into cacert.pem at ALL LDAP Clients, and tested the
> MASTER to SLAP failover works
> BUT
> I put ONE CA Cert (the demoCA created) at MASTER and SLAVE LDAP Server
> 
> Allow me to show portion of "man ldap.conf" (from 2.2.15 TLS_CACERT is
> there, but they ARE MISSING in 2.2.13), I follow the notes here and PUT
> TWO CA Certs in cacert.pem at LDAP client
> ===
>      TLS_CACERT <filename>
>           Specifies the file that contains certificates  for  all
>           of  the  Certificate Authorities the client will recog-
>           nize.
> ===
> As the above said certificate(s), I don't understand why do u say _one_
> CA (cert?), do u mean _one_ CA cert(for self-signing Server Cert CSR) at
> EACH LDAP Server? If yes I did not contradict this as I put ONE CA Cert
> (the demoCA created) in cacert.pem of LDAP Server.

you are correct - you can have more than one CA cert in this file which
is useful when you need to encrypt connections to servers that used
different CAs to issue their certs. But it doesnt make sense to create a
new CA for each time you want to issue a server cert. I install and
manage LDAP servers across the UK but I use one (openssl) CA to create
all the server certs. This means that I only need one CA cert for the
client to get encrypted connections to all of them. I do occasionally
have the need to browse remote directories that have certs issued by
another CA and so I _do_ have more than one CA cert in my TLS_CACERT
file

You seem to be making things more complicated than necessary.

GREG

> 
> Rgds
> Gary

-- 
Greg Matthews
iTSS Wallingford	01491 692445

References:
- RE: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)
  - From: "Tay, Gary" <Gary_Tay@platts.com>

Prev by Date: RE: Multi-homed machine and TLS (not related to Multi-home but TLS CACERT confusion)
Next by Date: Re: Does this make sense?
Index(es):
- Chronological
- Thread